VIRUS-L Digest Wednesday, 27 Sep 1989 Volume 2 : Issue 205 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Is this a virus? (PC) Anti-virus virus re: IBM Virus (from EXPERT-L list) (PC) LAN boot disks. (PC) ACS Demo - is it a virus? (Apple) Information wanted about Selftest (tm) notchless disks (PC) Atari ST VIRUS ALERT!! Lotus Virus Re: IBM Virus (from EXPERT-L list) (PC) Tiger Teams Re: Software company distributing viruses (PC) Tiger Teams & Viruses Disk Killer Virus (PC) Re: SCANV38 (PC) --------------------------------------------------------------------------- Date: 26 Sep 89 16:13:44 +0000 From: carroll1!dnewton@uunet.UU.NET (Dave Newton) Subject: Re: Is this a virus? (PC) In article <0008.8909251230.AA29228@ge.sei.cmu.edu> Christoph.Fischer.RY15@DKAU NI11 writes: >Hi, > we just had an inquiery about 4 strange files that appeared on a >Microsoft WORD installation. All 4 files are hidden system and readonly. > >The file MWA is text and contains: > >Copyright 1984 by Microsoft >Word Freedom Fighters: [names deleted] >Charles Simonyi ^^^^^^^^^^^^^^^ I only recognize this name as being a guy who worked/works at microsoft, he was profiled in the microsoft press book _Porgrammers at Work_. Plus it's pretty unlikely that microsoft would copyright a virus. Of course, it could just be a ruse... David L. Newton | dnewton@carroll1.UUCP | Quote courtesy of (414) 524-7343 (work) | dnewton@carroll1.cc.edu | Marie Niechwiadowicz, (414) 524-6809 (home) | 100 NE Ave, Waukesha, WI 53186 | Boston College. [Q]: How many surrealists does it take to screw in a light bulb? [A]: The fish. ------------------------------ Date: 26 Sep 89 16:40:00 +0000 From: carroll1!dnewton@uunet.UU.NET (Dave Newton) Subject: Anti-virus virus One of the arguments raised against AVV's is the possible escalation of of viral warfare. It seems to me that this has already happened with the vaccine programs. I'd be almost certain that most virus writers will try to circumvent detection by writing (perhaps) a self-modifying virus, or a resident virus that will attempt to detect detection. If any comp.virus readers have read any of William Gibson's "Cyperpunk" novels, in which software protection (ICE) is handled by AI, the concept of AVV's will be nothing new. From a technological standpoint, they provide an interesting challenge, both for the virus writer and anti-virus virus writer. David L. Newton | dnewton@carroll1.UUCP | Quote courtesy of (414) 524-7343 (work) | dnewton@carroll1.cc.edu | Marie Niechwiadowicz, (414) 524-6809 (home) | 100 NE Ave, Waukesha, WI 53186 | Boston College. [Q]: How many surrealists does it take to screw in a light bulb? [A]: The fish. ------------------------------ Date: 26 Sep 89 00:00:00 +0000 From: David.M..Chess.CHESS@YKTVMV Subject: re: IBM Virus (from EXPERT-L list) (PC) Sounds basically like the Jerusalem Virus; in particular, the little signature string given occurs in the JV. Not sure why they aren't seeing files change in size when they're infected. Perhaps the fact that a file gets infected when it executes (rather than when the original infected file executes) is causing confusion. The multiple infections that they're seeing (and attributing to disk fragmentation) are also characteristic of the JV. Or, of course, it could be some Brand New nasty... DC ------------------------------ Date: Tue, 26 Sep 89 14:39:00 -0500 From: Reality is not an Industry Standard Subject: LAN boot disks. (PC) If your LAN o/s and cards support the function - try auto boot roms. We run Novell nets with various cards that all autoboot from a server. (Novell 2.1x allows you to have multiple boot files for different pcs) This method keeps the boot code very safe, allows for global changes, and the students just need a blank formatted disk. In addition, any new software gets installed from an account that does *not* have supervisor's (operator) status - one dept. forund that out the hard way. J. Peterson/Sys Eng LIU-Southampton PETERSON@LIUVAX.BITNET ------------------------------ Date: 26 Sep 89 18:22:15 +0000 From: carroll1!dtroup@uunet.UU.NET (Dave Troup) Subject: ACS Demo - is it a virus? (Apple) I was just looking at the disk (just unpacked) of the ACS Demo. Should the Catalog of the disk be : WHAT ARE.YOU LOOKING FOR END OF DATA ] Im just a little leary, someone wanna check on this for me. thanks... "We got computers, we're tapping phone lines, knowin' that ain't allowed" _______ _______________ |David C. Troup / Surf Rat _______)(______ | |dtroup@carroll1.cc.edu : mail _______________________________|414-524-6809______________________________ ------------------------------ Date: Tue, 26 Sep 89 14:27:35 -0400 From: wayner@svax.cs.cornell.edu (Peter Wayner) Subject: Information wanted about Selftest (tm) Someone recently mentioned a shareware product called "selftest." Can anyone provide me with any information about how to find the selftest program or perhaps something about its design? Thank you, Peter Wayner (wayner@cs.cornell.edu) ------------------------------ Date: Tue, 26 Sep 89 15:15:38 -0400 From: Marcus J. Ranum Subject: notchless disks (PC) Don't let notchless disks give you a sense of false confidence! I have a drive on my system at home with the notch detect jumpered off on one of the drives from when I used to be a student at a place where they used exactly the protection scheme you describe. - --mjr(); ------------------------------ Date: Tue, 26 Sep 89 13:23:00 -0500 From: Holly Lee Stowe Subject: Atari ST VIRUS ALERT!! At least 2 instances of the "Key" virus have been found on ORIGINAL WordUp 2.0 disks from Neocept for the Atari ST and Mega computers. If you have WordUp 2.0, please use Virus Killer 2.2 or some other virus checking program to check your disks! Holly Lee Stowe, Faculty/Staff Consulting ....................................................................... He has all the subtlety and wit of a speed bump. - paraphrased from Oleg Kisilev in alt.flame +---------------------------------------------------------------------+ | @@@ @@@ @@@ @@@@@@@@@ @@@ @@@ @@@ Holly Lee Stowe | | @@@ @@@ @@@ @@@ @@@ @@@ @@@ @@@ Bitnet: IHLS400@INDYCMS | | @@@ @@@ @@@ @@@@@@@@@ @@@ @@@ @@@ IUPUI Computing Services | | @@@ @@@@@@@@ @@@ @@@@@@@@ @@@ 799 West Michigan Street | | Indiana U. - Purdue U. at Indianapolis Indianapolis, IN 46202 | +---------------------------------------------------------------------+ ------------------------------ Date: Tue, 26 Sep 89 13:50:23 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Lotus Virus The new Lotus 123 virus is being turned over to Lotus Corp (a CVIA member) for analysis and disassembly. It is imbedded in an 800K EXE file and no-one other than Lotus was willing to attempt a disassembly. The CVIA will publish results as soon as we get them. Alan ------------------------------ Date: Tue, 26 Sep 89 16:16:10 -0400 From: Chris Haller Subject: Re: IBM Virus (from EXPERT-L list) (PC) >From: Ken Hoover >Subject: IBM Virus (from EXPERT-L list) (PC) > >Original-Date: Mon, 18 Sep 89 17:38:00 EDT >Original-From: Sanjay Hiranandani > [text omitted] Oh well, I was considering writing to VIRUS-L about this anyway, and this posting precipitates a response. Here is the current situation about the virus that showed up at Sibley Hall at Cornell University. John McAfee's VIRUSCAN v36 identified this virus as Jerusalem B, and its appearance and behavior correspond with this identification, AS FAR AS I KNOW. (Would some kind soul please send me a type description of "Jerusalem B" so I can verify the identification more completely? I think this is the version of the Israeli that attacks both .COM and .EXE files on both floppy and hard disks, that was modified (probably in the U.S.) to be less obtrusive, and that WordPerfect and FoxBase catch in the act because they detect its alteration of their file.) We are using UNVIRUS, which we retrieved from the archive at Kansas State, to clean up. Incidentally, we find VIRUSCAN and SCANRES very useful and intend to ask Mr. McAfee about site licensing arrangements for Cornell University. (That's why we haven't sent in our shareware fees yet! Most of us on the staff here won't use software without paying for it, except preliminarily.) However, do not let this kind of endorsement of one person's (or group's) efforts deter those of you who are writing other protective software. No single program, indeed no single way of addressing the problem, will be sufficient to protect a diverse computing community like this from the threat of viruses. This semester we may recommend SCANRES, but we are counting on there still being a lot of people using FLU_SHOT+ here, and next semester we may recommend something else, or a newer version of FLU_SHOT, or a program that checks CRC polynomials to detect altered files or disk sectors. The idea is that in a large and diverse community like a major university, a virus may get started locally but it won't get very far before it sets off an alarm on someone's system. If everyone using PC's were using the same kind of protection, a virus written to evade that particular protection would spread farther. This is not a new idea, it's one I learned from reading this list! Thank you all. - -Chris Haller, Research and Analysis Systems, Cornell University BITNET: Internet: Acknowledge-To: ------------------------------ Date: Tue, 26 Sep 89 18:12:26 -0400 From: Steve Subject: Tiger Teams Maybe I just don't understand, but I personally think the "Tiger Team" idea put forth (by David Gursky) on this list is a little ridiculous because: 1) Most viruses are not spread by someone sneaking in at night and against your wishes copying something onto your computer. Rather, they are usually spread voluntarily (but unknowingly) by the user exposing the computer to foreign contaminated disks or programs. If I always (almost always anyway) operate within a closed system, how is letting someone *tamper* with my computer going to help me? I'd feel much safer just scanning for known viruses, which brings up the next point. 2) What corporation (or employee for that matter) is willing to take the risk of letting someone (outsiders or corporation employees) *tamper* with the computers which the company (and the employee) depends upon, especially when proper operating procedures (regular backups, etc.) will offer you very good protection? 3) Can you guarantee that the "Team" will not do damage? No, you cannot. And if they are introducing live viruses, we already know that no one can guarantee that the viruses will be benign in every situation (as has been discussed many times by others on this list), or that they will not get away. Acknowledge-To: ------------------------------ Date: 26 Sep 89 21:43:51 +0000 From: chinet!ignatz@att.att.com Subject: Re: Software company distributing viruses (PC) In article <0007.8909251241.AA29279@ge.sei.cmu.edu> bnr-di!borynec@watmath.waterloo.edu (James Borynec) writes: >Software companies may be the largest source of virus contamination >around. After all, they send disks everywhere and no one worries >about 'shrink wrap' software being 'unclean'. I have only been hit by >two viruses - both came from software companies - one of which was >Texas Instruments. The guy in the office next door was hit by a copy >of a virus on his (shrink wrap) copy of WordPerfect. I think it is >shocking that people are told just to watch out for viruses when >engaged in software 'swapping'. Everyone should regard EVERY disk >that enters their machine with suspicion. It's probably been mentioned before, but it can't hurt to repeat. Some software houses--especially discount stores--have a very liberal return policy. Unfortunately, it seems that shrinkwrap equipment is neither very expensive nor difficult to obtain, and some stores will accept such returned software, repackage and re-shrinkwrap it, and return it to the store shelf. Thus, you really can't be certain that the sealed shrink-wrap you bought *hasn't* been tampered with at some point along the line. It really is starting to look like either there will have to be tamper-proof shrinkwrap (as resulted from the Tylenol disaster in the OTC consumer market), or a general practice of scanning *any* purchased software for contamination... Dave Ihnat ignatz@homebru.chi.il.us (preferred return address) ignatz@chinet.chi.il.us ------------------------------ Date: Tue, 26 Sep 89 20:24:00 -0500 From: Subject: Tiger Teams & Viruses Someone has suggested that "Tiger Teams" use (as one of their tests) viruses. A "controlled" atmosphere is suggested. Like the idea of an anti-virus virus, this usage may run out of control and cause more damage than expected. If the tiger team fails to exterminate ALL copies of the virus (which is very likely in the chaotic user environment), there is the possibility of virus parinoia (i.e. lawsuits), files that grow in size for no good reason (very dangerous when a disk is full or nearly so [programs abend or refuse to run]), and the possibility of lost data thru virus malfunctions. Another problem is the nature of a tiger team using a virus: the virus would be released in a (probably) unsuspecting work area. The presence of strangers insisting on checking every disk that leaves the area (and don't forget the problem of LANs and file transfers) would cause chaos. Remember, a "good" virus used for a "good" purpose would have to be working perfectly. And we all know how programs work perfectly under all conditions all the time :-) ------------------------------ Date: Tue, 26 Sep 89 18:50:40 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Disk Killer Virus (PC) The CVIA has isolated the "Disk Killer" virus after 6 months of work and over three dozen reports. The virus activates after a random time period which varies from a few days to a few months, and when it activates, it performs a low level format of the hard disk - thereby destroying itself along with everything else. As it formats, it displays the message - "Disk Killer -- Version 1.00 by COMPUTER OGRE. Don't turn off the power or remove the diskettes while Disk Killer is processing. I wish you luck." The first organization to report this virus was Birchwood systems in San Jose in early Summer. Additional reports were received from Washington, Oklahoma, Minnesota and Arizona. We finally isolated it at Wedge Systems in Milpitas California and discovered that it is a boot sector infector that infects hard disks and floppies. The internal messages do not appear in sector zero, but are stored in sector 152 on floppy disks and an as yet undetermined location on hard disks. This had always added to the confusion over the virus because message remnants were sometimes discovered in the middle of executable files, and it was assumed that the virus was a COM or EXE infector. The virus appears to be very widespread and everyone should watch out for it. If your boot sector does not contain the standard DOS error messages, then immediately power down and clean out the boot. (Infected boot sectors begin with FAEB). This is a nasty virus and should be treated cautiously. ViruScan V39 identifies the virus, but it will not be posted till the 29th due to major revisions in SCAN's architecture for version 39. Alan ------------------------------ Date: 26 Sep 89 15:30:08 +0000 From: bnr-fos!bmers58!mlord@watmath.waterloo.edu (Mark Lord) Subject: Re: SCANV38 (PC) In article <0012.8909251241.AA29279@ge.sei.cmu.edu> portal!cup.portal.com!Alan_ J_Roberts@Sun.COM writes: >ViruScan V38 is out and has been sent to Compuserve and the >comp.binary sites. This version identifies the MIX1, the New Ping ViruScan V37 was recently uploaded to SIMTEL20, and a question about it's authenticity has been posted to one of the .ibm.pc newsgroups. Apparently the length of the SCAN program is 34 bytes longer than the constant (??) length that the author said would be preserved for all versions. Is this a valid copy, or might it have a little parasite attached ? - -Mark ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253